Licenses and distributed deployments

Note: This topic does not pertain to standalone Splunk Enterprise deployments, which consist of a single Splunk Enterpirse instance plus forwarders. For a standalone deployment, simply install the license appropriate to your needs directly on the instance. See Types of Splunk software licenses.

Distributed Splunk Enterprise deployments consist of multiple Splunk Enterprise instances. Separate instances perform various functions such as indexing and search management. Each instance is categorized as one or more component types, based on the functions that it performs.
In most cases, an instance serves as just a single component, but it is possible for an instance sometimes to combine the functionality of several components.

This topic discusses the license requirements for each component type. For more information on the types of licenses discussed in this topic, see Types of Splunk software licenses.

License requirements

In a distributed deployment, most Splunk Enterprise instances need access to an Enterprise license:

Instances need access to an Enterprise license, unless they are functioning only as forwarders. They need this access even if they will not be indexing external data, because the defining features of a distributed deployment, such as distributed search, are available only with Enterprise licenses. For information on the set of features that require an Enterprise license, see About Splunk Free.

Forwarders need only a Forwarder license, as long as they are functioning solely as forwarders. If they are also performing functions such as indexing data or managing searches, they need access to an Enterprise license.

The recommended way to give instances access to an Enterprise license is to make them slaves of a license master.

This table provides a summary of the license needs for the various Splunk Enterprise component types.

Component type

License type

Notes

Indexer

Enterprise

Search head

Enterprise

Deployment server

Enterprise

Indexer cluster master node

Enterprise

Search head cluster deployer

Enterprise

Monitoring console

Enterprise

Universal forwarder

Forwarder

Light forwarder

Forwarder

Heavy forwarder

Forwarder

Heavy forwarders that index data need access to an Enterprise license instead of a Forwarder license.

The light forwarder uses the Forwarder license, but you must manually enable it by changing to the Forwarder license group.

The heavy forwarder must also be manually converted to the Forwarder license group. If the heavy forwarder will be performing indexing, the forwarder must instead have access to an Enterprise license.

Note: A forwarder can use the Free license instead of a Forwarder license, but some important functionality is unavailable with a Free license. In particular, a forwarder using a Free license cannot be a deployment client and it cannot make use of authentication. See About Splunk Free.

Clustered deployments and licensing issues

Indexer cluster nodes

An indexer cluster is a group of indexers that replicate data to promote high availability and disaster recovery. Besides indexers, referred to as "peer nodes" in this context, indexer clusters include other node types; specifically, a master node and one or more search head nodes.

Each indexer cluster node requires an Enterprise license. There are a few license issues that are specific to indexer clusters:

Cluster nodes must all share the same licensing configuration.

Only incoming data counts against the license; replicated data does not.

Search head cluster members

A search head cluster is a group of search heads that coordinate their activities. Each search head in a search head cluster is referred to as a member.

Each search head cluster member needs access to an Enterprise license.

The search head cluster deployer, which distributes apps to the members, also needs access to an Enterprise license.

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »